Manage Certificate Exclude List

Manage Certificate Exclude List

21459
Created On 09/25/18 20:34 PM - Last Modified 07/29/20 23:00 PM


Symptom


Administrators have more control over the certificate exclude lists in PAN-OS 8.0. PAN-OS maintains a pre-defined certificate exclude list that lists the CNs of certificates for which SSL decryption is bypassed. PAN-OS 8.0 grants administrators access to this list, delivered via content update, via GUI and CLI and allows admins to enable/disable pre-defined entries and add custom entries to the existing list.

Environment


  • PAN-OS 8.0

Resolution


The list can be accessed via the Device tab > Certificate Management > SSL Decryption Exclusion.

ssl decryption exclusion.png

 

The list shows three types of entries

  • Pre-defined: Pushed via content update
  • Shared: Custom shared entries created by admin
  • Custom per VSYS: Custom entries specific to VSYS created by admin

Pre-defined entries can be modified, disabled or enabled per VSYS.

 

All the entries in a list must be unique: If a pre-defined entry matches an existing custom entry then custom entry takes precedence and remains unchanged

 

Entries in the list are compared against the SNI requested in Client Hello or CN/SAN names in the certificate

  • If a match occurs with an enabled entry in the exclude list, then decryption for that web-site will be bypassed
  • If no match occurs then the firewall will decrypt the traffic

It’s possible that the pre-defined, shared, VSYS lists have the same hostname. For example, they all have ‘*.icloud.com’ hostname with different status ‘enable’ or ‘disable’

The sequence for data plane to decide exclusion is: VSYS, shared, pre-defined

Manually adding an exclusion:

  1. SSL Decryption Exclusion > Add Entry
  2. Hostname: Common name of the certificate that needs to be excluded from decryption. It is Case Sensitive.
  3. Description: A custom message
  4. Check “Exclude” radio button

ssldecrypt.png

 

Commands available via CLI

  • New exclude entries can be configured using:
# set shared ssl-decrypt ssl-exclude-cert  *.bankofamerica.com   *.bankofamerica.com  *.ycharts.com         *.ycharts.com  <value>               SSL Decryption Exclusion entry name
  • Predefined entries can be enabled/disabled from using:
# set shared ssl-decrypt disabled-ssl-exclude-cert-from-predefined  [Start a list of values].

  • Predefined Test command for testing a web-site against the exclude list on the firewall

test ssl-exclude-list
> predefined   Test hostname in predefined SSL Exclude list
> shared       Test hostname in shared SSL Exclude list
> vsys         Test hostname in vsys SSL Exclude list
 

 

Additional Information


  • The hostname in the SSL Decryption Exclusion is case sensitive. Please look into following example:
PA-3060(active)> test ssl-exclude-list predefined hostname whatsapp.net

Hostname 'whatsapp.net' is excluded from decryption


PA-3060(active)> test ssl-exclude-list predefined hostname Whatsapp.net

Hostname 'Whatsapp.net' is not excluded from decryption


PA-3060(active)>
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhrCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language